Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
27b1909032fd61c8538946b80e1196d7
-
SHA1
068db3c25da3037222a410cdbfa4582daaff7187
-
SHA256
462083a9b81e8eec6f13754f3d0029cd219a595b320240d2eb8f30d9e5337ed1
-
SHA512
f22324929c57c480d1d854962f49e74fb03ab8d676fb3b4e2ea674cdaa4f97580251ba6d7eace1c814fdf4e9665ef45fe5c8d24c8c6ff937c67decd54e90a700
-
SSDEEP
49152:SnAQqMSPbcBVlvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBDxWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2324 mssecsvc.exe 2572 mssecsvc.exe 2684 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecisionTime = 4066551fb2a1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecisionTime = 4066551fb2a1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\e2-d1-d0-61-ff-e9 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1508 2188 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2324 1508 rundll32.exe mssecsvc.exe PID 1508 wrote to memory of 2324 1508 rundll32.exe mssecsvc.exe PID 1508 wrote to memory of 2324 1508 rundll32.exe mssecsvc.exe PID 1508 wrote to memory of 2324 1508 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2684
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
1.2MB
MD5615e2c68f8b0de0e118a9e5f518941a1
SHA17b94340413840b3d7de59e04e9c131e0c176bcfb
SHA2565c373db550f963bb8e68e5751a06b85bd383b08d49c70a80543c679095b2f4ce
SHA5122a53e10f1e06a78fc5b7eba2ec7233e028cfa3ea71c323ee03cf16b57efa7bc49a9bda7b54fcc4b312692a4e741bf8145930f0b4d198ecadc755d9c76facadab
-
C:\Windows\mssecsvc.exeFilesize
2.8MB
MD5cabe6ebf0067d10a90a30dc7b7d4fec1
SHA152b9e021c76846116c36c91e4ca71097929ea80f
SHA25617f11413a86cc796d651da1900f78a065d5890e409bf14e803b184177e517fbd
SHA5121b417d64a76873797fb226876cee347cee499fbbf9b62eade477bec8be3f879680d8d2d49442bf55c7f9b715cffb9eddd16e2cb1c9329f379e6d3d5a63888b45
-
C:\Windows\mssecsvc.exeFilesize
2.1MB
MD574cc67bfc86062dd09b0ad453b5716c9
SHA1cff6e310367f9633e0fb4c9077d6a498d6feaf25
SHA256fcd25a76981f1acca88f6f08de3a5be0eff4bf6509c8fbaa399e17266d14b048
SHA512c977ae466a1aa401b02b28dac9ad4b52ab34e7efb8ec7ae4225374b0ea773559411e99205d65a4e9c0ae8250ed871bc7f9590808e5f7402c5d3242b8cd49ef1c
-
C:\Windows\tasksche.exeFilesize
1.8MB
MD5e4c0c28020b03247f63899ca1e676218
SHA1379fc44474382b54b1799b51486d0ffa64dfdc90
SHA25650ac87271c54af60f8c1e15d103e8e657cf63c1813c1e75670ef833268588fe3
SHA512bb903a88eec5323dfa35d652c953e0fc53df7dd73852da6c0d955747e5d8aac7f0bf898fe0d75e5d04bcd5fb5ae8ab31f7e969d27f014f66018e654b80fcc5a9